Help configuring masqurading NAT

[CarbonCollins]

Hi all,

I currently have proxmox installed on a server which has a single public ip address. In order for me to be able to route services to the containers i need to setup a linux bridge with a masqurading NAT.

I tried to configure the server with the config supplied here: https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables

And after doing so my container can ping the host (via its vmbr0 ip) however does not have access to anything else. The host cannot ping the container however I am still able to access the container through pct enter.

I am not sure what i have done wrong or if i have missed some configuration step but this is what i have configured:

Host /etc/network/interfaces:

auto eth0
iface eth0 inet static
        address  10.10.10.11
        netmask  255.255.255.0
        gateway  10.10.10.1

allow-hotplug eth1

iface eth1 inet dhcp

allow-hotplug eth2

iface eth2 inet dhcp

auto vmbr0
iface vmbr0 inet static
        address  192.168.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE

The container has an net0 device with an ip of 192.168.0.2 and a gateway of 192.168.0.1

Any help on this would be brilliant,

Thanks

 

[Richard]

And after doing so my container can ping the host (via its vmbr0 ip) however does not have access to anything else. The host cannot ping the container however I am still able to access the container through pct enter.

I am not sure what i have done wrong or if i have missed some configuration step but this is what i have configured:

Host /etc/network/interfaces:

auto eth0
iface eth0 inet static
        address  10.10.10.11
        netmask  255.255.255.0
        gateway  10.10.10.1

allow-hotplug eth1

iface eth1 inet dhcp

allow-hotplug eth2

iface eth2 inet dhcp

auto vmbr0
iface vmbr0 inet static
        address  192.168.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE

The container has an net0 device with an ip of 192.168.0.2 and a gateway of 192.168.0.1

The iptables nat entries contain "-o eth0", but AFAICS eth0 is an internal network - the access to internet works rather across eth1 and/or eth2.

If you don't want to have any restrictions for the container say simply

iptables -t nat -A POSTROUTING -s '192.168.0.0/24'  -j MASQUERADE

Regarding

The host cannot ping the container

I would check possible firewall settings. If it does not work despite no firewall set check the packet flow by tcpdump.

 

[CarbonCollins]

Hi,

Checked and i was unable to ping due to firewall rules blocking ping, after adding a rule for allowing ping packets i could then ping in both directions. I still however have not been able to access the internet from the container